Organisations in Scotland and the UK doubled their information security budgets last year, spending £6.2m on average but nearly one-fifth (18%) don’t know how many cyber-attacks they experienced last year and 17% of all respondents don’t know the likely source of security incidents.
In the week the new National Cyber Security Centre opened in the UK, PwC has published the findings of its latest annual Global State of Information Security Survey 2017, produced in conjunction with CIO and CSO, based on interviews with over 10,000 executives from more than 133 countries, including 479 respondents in Scotland, England, Wales and Northern Ireland.
With security incidents now costing an organisation an average of £2.6m (up from £1.7m last year, an increase of 53%), executives around the world are waking up to the fact that they can no longer afford to take a passive approach to protecting their assets, leading to the increase in budgets.
Colin Slater, cyber security partner at PwC in Scotland said:
“Cyber security isn’t a problem that you can just throw cash at and hope for the best, leaving it to a few IT teams to try and sort out.
“Proper cyber security involves not only raising awareness amongst every member of staff but ensuring it is ingrained in every part of a company, all the way to the C suite. It’s not something that you attend to once and then ignore. It’s an ongoing, developing and repeating business issue.”
To help increase awareness of cyber security issues, PwC in Scotland was announced as co-sponsors of the first Scottish Cyber Security Awards, organised by the Scottish Business Resilience Centre.
Boards in the UK aren’t getting as involved as other markets either in setting the security budget, or more importantly the strategy. Only a third of UK companies (33%) have the board involved in setting security budgets compared to the 39% global average, and even fewer (28%) partake in the strategy (42.5% globally).
John Whitehill, cyber security director for PwC in Scotland, said:
“Cyber security is far more than just building security controls – it’s about changing your organisation to be secure and for staff to be more aware. Driving messages around ‘secure by design’ is a positive way to remind everyone they have a role to play in responding to cyber security risks
“There’s also a competitive advantage to this. A considered and focused approach to cyber security is recognised by progressive organisations as a competitive differentiator. We are seeing evidence of organisations responding to tenders using their cyber security activity as an example of strong corporate risk management.
“Senior leadership teams need to be educated and more involved in this issue, feeding upwards to board level but also downwards to their teams, so that a strategic overview can be taken while also ensuring staff understand the importance of good cyber security protocols and governance.”
Not only have the average number of security incidents UK companies faces increased by 23% in the last year to 5,792, but the threat landscape is also changing. The top insider risk and source of incidents for UK organisations continues to be current employees, with former employees a close second, but current service providers, consultants or contractors are increasingly likely to be the cause of cyber threat to a business now too.
It’s also clear that phishing still works to target these groups, with the majority of cyber security breaches reportedly caused by phishing incidents (37%).
Colin Slater continued:
“Instilling a cyber-aware culture in an organisation, and controlling who has access to what information, continues to be of utmost importance. Even with the best technology available on the market, employees can still be your weakest link.
“But when trying to assess your ‘insider’ risk, it’s important to look not only at your internal data, people and processes, but also at the third party relationships closely connected to your business – that is where the threat increasingly lies.”
Security incidents are now costing organisations more and 79% of UK companies have suffered down-time because of them. Despite this, this year’s study showed a decrease in the number of UK companies who are investing in cyber insurance. In the previous study, 59% had a cyber insurance policy, but in the last year this has decreased to only 38% of respondents reporting to have one (and 10% of these don’t even know what it covers), compared to 53% globally.
UK organisations are also more likely than the rest of the world to keep their cards close to their chest and not share security knowledge with others. Only 40% collaborate with others to reduce future risks, compared to over half across Europe (52%) and globally (55%).
Colin Slater concluded:
“UK companies remain wary about sharing security knowledge, but working with partners within a particular industry can significantly improve threat intelligence awareness and an organisation’s ability to spot potential incidents before they escalate.
“The organisations that get their approach to cyber security right are the ones that will prosper, build trusted brands and sustained value.”
Notes for editors.
1. The Global State of Information Security® Survey 2017 - http://www.pwc.co.uk/cyber-security/insights/global-state-of-information-security-survey-2017.html - is a worldwide study by PwC, CIO and CSO. It was conducted online from April 4, 2016, to June 3, 2016. Readers of CIO and CSO and clients of PwC from around the globe were invited via email to take the survey.
2. The results discussed in this report are based on the responses of more than 10,000 executives including CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from more than 133 countries. Thirty-four percent (34%) of respondents were from North America, 31% from Europe, 20% from Asia Pacific, 13% from South America, and 3% from the Middle East and Africa. The margin of error is less than 1%. There were 479 UK responses.
CIO is the content and community resource for information technology executives and leaders thriving and prospering in this fast-paced era of IT transformation in the enterprise. The award-winning CIO portfolio—CIO.com, CIO magazine (launched in 1987), CIO executive programs, CIO strategic marketing services, CIO Forum on LinkedIn, CIO Executive Council and CIO primary research—provides business technology leaders with analysis and insight on information technology trends and a keen understanding of IT’s role in achieving business goals. Additionally, CIO provides opportunities for IT solution providers to reach this executive IT audience. CIO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events, and research company. Company information is available at http://www.idgenterprise.com/.
CSO is the content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than a decade, CSO’s award-winning web site (CSOonline.com), executive conferences, strategic marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of International Data Group (IDG), the world’s leading media, events and research company. Company information is available at www.idgenterprise.com.
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 223,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
© 2016 PwC. All rights reserved